JP2010271759A - Safety control device and safety control method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To reduce the cost of a safety relevant system configured by using a computer system. <P>SOLUTION: A processor is configured to execute an OS 100 to perform the scheduling of a safety monitoring process 21 and a safety control process 23 by switching a normal control scheduling pattern to a safety control scheduling pattern according to an abnormality has been detected by a safety monitoring process 21. In this case, the normal control scheduling pattern applied before the detection of the abnormality includes a first time partition for assigning an execution time to a normal control process 22 and a second time partition for assigning a processor execution time to the safety monitoring process 21. Also, the safety control scheduling pattern applied after the detection of abnormality includes a third time partition for assigning an execution time to a safety control process 23 and a fourth time partition for assigning the execution time to the safety monitoring process 21. <P>COPYRIGHT: (C)2011,JPO&amp;INPIT

Description

  The present invention relates to a safety control device mounted on a service robot, transportation equipment and the like for ensuring functional safety, and more particularly to a safety control device using a computer system.

  In the case of conventional industrial robots, measures have been taken to isolate the robot from humans so as not to harm humans. However, in the case of a service robot that is supposed to perform cooperative work with a person, the work space of the robot and the human activity range overlap. For this reason, it is difficult to take measures similar to those taken by conventional industrial robots in order to ensure the safety of service robots. Therefore, it is important to ensure functional safety in service robots. Functional safety refers to safety that is functionally achieved by implementing safety functions in a system that may cause some harm to humans and keeping the risk below an acceptable level.

  In order to ensure functional safety, the service robot has an external sensor and a self-diagnosis device. The service robot constantly monitors the safety state with an external sensor or a self-diagnosis device, and reduces risk by executing appropriate safety control logic when any danger is detected (see, for example, Patent Documents 1 and 2). For example, in Patent Document 1, a sensor is installed in a service robot, and when the approach or contact of a person to the robot is detected by the sensor, it is safe from a normal mode (an operation mode in which motor power is supplied to each joint for driving). It is disclosed to change to a mode (an operation mode in which the supply of motor power to each joint is stopped).

  In service robots, in general, because of the complexity of tasks (work) performed by robots, the complexity of mechanical mechanisms, and multifunctionality, computer systems (that is, programmable electronic devices such as microprocessors and the like) Computer program) is used for safety control.

  In addition to the service robots described above, IEC 61508 has been established as an international standard for functional safety for systems that operate on electrical principles such as transportation equipment, plant control, and medical equipment. In IEC 61508, a system provided to reduce risk (to ensure functional safety) is called a safety related system. IEC 61508 also targets programmable electronic devices, and defines various techniques for constructing safety-related systems using hardware such as microprocessors and PLCs (Programmable Logic Controllers) and computer programs (software).

JP 2002-86379 A JP 2008-191823 A

  By using the technique defined in IEC 61508, it is possible to construct a safety-related system using a computer system. In order to realize functional safety at a low cost, it is desirable to reduce the software scale. Therefore, it is efficient to execute only application programs related to functional safety on the computer system included in the safety-related system.

  On the other hand, in recent years, the processing capability of programmable electronic devices such as microprocessors has improved. For this reason, a multitasking OS (Operating System) is used to execute various application programs in parallel on a single computer system, thereby integrating multiple-use computer systems installed in devices such as partner robots and automobiles. can do.

  In order to reduce costs by integrating computer systems, the inventor of the present application uses an application program related to ensuring functional safety (hereinafter referred to as a safety-related application) as another application program (hereinafter referred to as a non-safety-related application). In addition, we examined the operation on one computer system. In this case, if the safety-related application and the non-safety-related application are not completely independent, it is necessary to apply the technique defined in IEC 61508 to the non-safety-related application. For this reason, there is a problem that the software development cost increases.

  The present invention has been made based on the above-described knowledge, and aims to reduce the cost of a safety-related system configured using a computer system.

  A safety control device according to an aspect of the present invention includes a hardware resource including at least one processor and a system program. The system program includes (a) a safety monitoring program for monitoring the occurrence of an abnormality related to the control object, (b) a normal control program related to the control of the control object at normal time, and (c) the control object at the time of abnormality. Control the allocation of execution time of the at least one processor to a safety control program associated with the control.

  Further, the processor executes the system program to assign the execution time to at least one program including the normal control program, and to at least one program including the safety monitoring program. The safety monitoring program and the normal control program are scheduled according to a normal control scheduling pattern including a second time partition to which an execution time is assigned.

  In addition, the processor executes the system program to perform safety control scheduling from the normal control scheduling pattern in response to an abnormality detected by the safety monitoring program executed in the second time partition. Switching to a pattern schedules the safety monitoring program and the safety control program. Here, the safety control scheduling pattern includes a third time partition that assigns the execution time to at least one program including the safety control program, and a first time partition that allocates the execution time to at least one program including the safety monitoring program. 4 time partitions.

  According to the above-described aspect of the present invention, the safety monitoring program executed according to the normal control scheduling pattern switches to the safety control scheduling pattern when an abnormality (that is, an unsafe state) is detected, and according to the safety control scheduling pattern. The safety control program can be executed reliably. In other words, the safety monitoring program and the safety control program are made independent from the normal control program by the time partitioning of the system program. For this reason, the normal control program can be excluded from the safety-related system, which can contribute to the cost reduction of the safety-related system configured using the computer system.

  ADVANTAGE OF THE INVENTION According to this invention, it can contribute to the cost reduction of the safety related system comprised using a computer system.

It is a block diagram which shows the structural example of the safety control apparatus concerning Embodiment 1 of invention. It is a figure for demonstrating the concept of the time partitioning in Embodiment 1 of invention. It is a conceptual diagram for demonstrating the concept of the resource partitioning in Embodiment 1 of invention. It is a figure which shows the relationship between the processes started in the execution environment provided by OS shown in FIG. It is a figure which shows the specific example of a scheduling pattern. It is a flowchart which shows the specific example of the process sequence of a safety monitoring process. It is a conceptual diagram which shows the process execution environment provided by OS which the safety control apparatus concerning Embodiment 2 of invention has.

  Hereinafter, specific embodiments to which the present invention is applied will be described in detail with reference to the drawings. In the drawings, the same elements are denoted by the same reference numerals, and redundant description is omitted as necessary for the sake of clarity.

<Embodiment 1 of the Invention>
The safety control device 1 according to the present embodiment is mounted on a service robot, a transportation device, or the like, and executes safety control for ensuring functional safety. The safety control device 1 is configured to execute a safety-related application and a non-safety-related application on the same computer system. FIG. 1 is a block diagram illustrating a configuration example of the safety control device 1 according to the present embodiment. Below, each element shown in FIG. 1 is demonstrated in order.

  The processor 10 performs calculation processing according to acquisition of a program (instruction stream), instruction decoding, and instruction decoding result. Although only one processor 10 is shown in FIG. 1, the safety control device 1 may have a multiprocessor configuration having a plurality of processors 10. The processor 10 may be a multi-core processor. The processor 10 provides a multiprogramming environment by executing an operating system (OS) 100 as a system program. A multi-programming environment is an environment in which multiple programs are executed in parallel by periodically switching and executing multiple programs, or by switching the programs to be executed in response to the occurrence of a certain event. means.

  Multiprogramming is sometimes called multiprocess, multithread, multitask, and the like. A process, a thread, and a task mean a program unit that is executed in parallel in a multiprogramming environment. Although these terms are often used confusedly, in general, a process is a program module to which a program execution environment such as a memory space is allocated independently and is highly independent of other processes. On the other hand, a thread is a finer parallel processing unit included in processes to be processed in parallel. In a multi-thread environment, a process includes multiple threads. Each thread can access resources allocated to the process, and the threads share a memory space. The multi-programming environment included in the processor 10 of the present embodiment may be a multi-process environment or a multi-thread environment.

The execution memory 11 is a memory used for program execution by the processor 10. The execution memory 11 stores a program (OS 100 and application program 110) loaded from the nonvolatile memory 13, input / output data of the processor 10, and the like. Note that the processor 10 may directly execute these programs (the OS 100 and the application program 110) from the nonvolatile memory 13 without loading the programs (the OS 100 and the application program 110) from the nonvolatile memory 13 to the execution memory 11.
Specifically, the execution memory 11 may be a random accessible volatile memory such as SRAM (Static Random Access Memory) or DRAM (Dynamic Random Access Memory). The execution memory 11 in FIG. 1 represents a logical unit. That is, the execution memory 11 may be, for example, a combination of a plurality of SRAM devices, a combination of a plurality of DRAM devices, or a combination of an SRAM device and a DRAM device.

  The I / O port 12 is used for data transmission / reception with an external device. For example, when the safety control device 1 is mounted on a service robot, the external device is a visual sensor that can measure an obstacle around the service robot, an actuator that operates the service robot, or the like.

  The non-volatile memory 13 is a memory device capable of maintaining stored contents more stably than the execution memory 11 without receiving power supply. For example, the nonvolatile memory 13 is a ROM (Read Only Memory), a flash memory, a hard disk drive or an optical disk drive, or a combination thereof. The nonvolatile memory 13 stores the OS 100 and the applications 101 to 103. Note that at least a part of the nonvolatile memory 13 may be configured to be removable from the safety control device 1. For example, the memory storing the applications 101 to 103 may be removable. Further, at least a part of the nonvolatile memory 13 may be disposed outside the safety control device 1.

  The OS 100 is executed by the processor 10 to use task resources including task scheduling, interrupt management, time management, resource management, task synchronization, and task using hardware resources such as the processor 10 and the memories 11 and 13. Provide inter-communication mechanism.

  Furthermore, in order to increase the independence of the safety monitoring application 101 and the safety control application 103 related to ensuring functional safety from the normal control application 102, the OS 100 includes a hardware including a processor 10, an execution memory 11, and an I / O port 12. It has a function to protect wear resources temporally and spatially.

  Of these, temporal protection is performed by partitioning a temporal resource called the execution time of the processor 10. Specifically, temporal protection is performed by partitioning the execution time of the processor 10 and assigning a task (process or thread) to each partition (referred to as a time partition). The scheduling function (time partition scheduler) of the OS 100 guarantees the use of resources including the execution time of the processor 10 for tasks assigned to each time partition.

  FIG. 2 is a conceptual diagram related to time partitioning. In the example of FIG. 2, an example in which a predetermined cycle time is divided into three time partitions TP1, TP2, and TP3 is shown. For example, when the cycle time is 100 Tick, the first 20 Tick is defined as TP1, the middle 30 Tick is defined as TP2, and the second 50 Tick is defined as TP3.

  In the example of FIG. 2, the first application (APL1) is assigned to TP1. A second application (APL2) is assigned to TP2. Further, the third and fourth applications (APL3 and APL4) are assigned to TP3. As time elapses, one of TP1 to TP3 becomes active, and the application assigned to the active time partition is executed by the processor 10. Note that general priority-based scheduling may be applied to scheduling processes or threads in each time partition.

  On the other hand, spatial protection is performed by partitioning fixed resources including the execution memory 11 and the I / O port 12 and assigning tasks to each partition (referred to as a resource partition). The OS 100 prohibits the task from accessing other resources beyond the previously assigned resource partition.

  FIG. 3 is a conceptual diagram related to resource partitioning. In the example of FIG. 3, two resource partitions RP1 and RP2 are shown. A part of the execution memory 11 and the nonvolatile memory 13 (A area) and a part of the I / O port 12 (port A) are allocated to RP1. Further, another part (B area) of the execution memory 11 and the nonvolatile memory 13 and another part (port B) of the I / O port 12 are allocated to RP2. Access from RP1 to the resource assigned to RP2 is prohibited, and access from RP2 to the resource assigned to RP1 is prohibited.

  Note that not all resources need to be exclusively assigned to any resource partition. That is, there may be a resource shared by a plurality of resource partitions. For example, when performing safety control of a service robot, the actuator needs to be accessible from both the normal control application 101 and the safety control application 102. Therefore, the I / O port for controlling the actuator may be shared by the resource partition to which the normal control application 101 belongs and the resource partition to which the safety control application 102 belongs.

  Returning to FIG. The applications 101 to 103 are executed in a multiprogramming environment provided by the OS 100 and the processor 10. Among these, the safety monitoring application 101 includes an instruction code for causing the processor 10 to monitor the execution status of the normal control application 102 and monitor input / output data to the I / O port 12. That is, the safety management application 101 is a safety-related application.

  Further, the normal control application 102 includes an instruction code for causing the processor 10 to execute a control procedure for causing a control target such as a service robot to perform a normal function / operation. That is, the normal control application 102 is a non-safety related application.

  In addition, the safety control application 103 includes an instruction code for causing the processor 10 to execute a control procedure determined in order to ensure functional safety in response to any abnormality detected by the safety monitoring application 101. That is, the safety control application 103 is a safety-related application.

  Subsequently, the relationship between processes generated by the activation of the applications 101 to 103 will be described with reference to FIG. FIG. 4 is a diagram illustrating the relationship between the processes 21 to 23 started in the multiprogramming environment provided by the OS 100.

  The safety monitoring process 21 is a process generated when the safety monitoring application 101 is activated. In the example of FIG. 4, the safety monitoring process 21 is assigned to the time partition TP1 and the resource partition RP1. The safety monitoring process 21 monitors the execution status of the normal control process 22, which is a fire safety related application, and monitors input / output data of the I / O port 12. Further, the safety monitoring process 21 selects a scheduling pattern that defines the switching order and timing when the OS 100 switches the time partition. The scheduling pattern will be described later.

  The normal control process 22 is a process generated when the normal control application 102 is activated. In the example of FIG. 4, the normal control process 22 is assigned to the time partition TP2 and the resource partition RP2.

  The safety control process 23 is a process generated by starting the safety control application 103. In the example of FIG. 4, the safety control process 23 is assigned to the time partition TP3 and the resource partition RP3.

  The scheduling table 24 holds a scheduling pattern that defines time partition settings. Note that the scheduling table 24 holds at least two different scheduling patterns. One is a scheduling pattern that is applied when abnormality detection by the safety monitoring process 21 is not performed (that is, during normal time). The other is a scheduling pattern applied when an abnormality is detected by the safety monitoring process 21. Hereinafter, the scheduling pattern applied in the normal time is referred to as “normal control scheduling pattern”. A scheduling pattern applied at the time of detecting an abnormality is called a “safe control scheduling pattern”. The OS 100 that performs time partition switching (partition scheduling) refers to the scheduling table 24 and performs partition scheduling according to the scheduling pattern specified by the safety monitoring process 21.

  FIG. 5A shows a specific example of the normal control scheduling pattern. FIG. 5B shows a specific example of the safety control scheduling pattern. In the normal control scheduling pattern of FIG. 5A, the time partition TP2 to which the normal control process 22 belongs is assigned to the first half (T1) of one cycle time. Further, the time partition TP1 to which the safety monitoring process 21 belongs is assigned to the second half (T2) of one cycle time. According to the scheduling pattern of FIG. 5A, the normal control process 22 and the safety monitoring process 21 are repeatedly scheduled.

  On the other hand, in the safety control scheduling pattern of FIG. 5B, the time partition TP3 to which the safety control process 23 belongs is assigned to the first half (T3) of one cycle time. Further, the time partition TP1 to which the safety monitoring process 21 belongs is assigned to the second half (T4) of one cycle time. According to the scheduling pattern of FIG. 5B, the safety control process 23 and the safety monitoring process 21 are repeatedly scheduled.

  The safety monitoring process 21 changes the scheduling pattern referred to by the OS 100 from the normal control scheduling pattern to the safety control scheduling pattern in response to detecting the abnormality of the normal control process 22 or the input / output data of the I / O port 12. Switch to.

  FIG. 6 is a flowchart showing a specific example of the processing procedure of the safety monitoring process 21. In steps S11 to S13, the occurrence of an abnormality in the normal control process 22, an abnormality in output data to the I / O port 12, and an abnormality in input data from the I / O port 12 are monitored. If any abnormality is detected, the safety monitoring process 21 changes the scheduling pattern referred to by the OS 100 to a safety control scheduling pattern (for example, FIG. 5B) (step S14).

  In step S15, the safety monitoring process 21 determines whether or not the abnormal state has been recovered. The return from the abnormal state may be determined based on whether all of the abnormality of the normal control process 22, the abnormal output data to the I / O port 12, and the abnormal input data from the I / O port 12 have been canceled.

  When the return from the abnormal state is determined (YES in step S15), the safety monitoring process 21 changes the scheduling pattern referred to by the OS 100 to the normal control scheduling pattern (for example, FIG. 5A) (step S16).

  As described above, in this embodiment, the safety monitoring application 101 (safety monitoring process 21) and the safety control application 103 (safety control process 23) are replaced by the normal control application 102 (normal control process) by time partitioning of the OS 100. 22). For this reason, the normal control application 102 (normal control process 22) can be excluded from the safety-related system. Therefore, according to the present embodiment, it is possible to construct a safety-related system small and contribute to the cost reduction of the safety-related system configured using a computer system.

<Embodiment 2 of the Invention>
The safety control device according to the present embodiment is a modification of the safety control device 1 described above. The overall configuration of the safety control device according to the present embodiment may be the same as the configuration of the safety control device 1 shown in FIG. FIG. 7 is a conceptual diagram showing a process execution environment provided by the OS included in the safety control device according to the present embodiment. In the present embodiment, the OS 100 provides interprocess communication for exchanging data between the normal control process 22 and the safety control process 23.

  In the example of FIG. 7, a shared memory 25 is provided for communication between processes 22 and 23. The safety control process 23 according to the present embodiment takes over control information related to the control target (service robot, transport equipment, etc.) from the normal control process via the shared memory 25. Then, the safety control process 23 starts safety control of the controlled object based on the inherited control information. As described above, when the safety control process 23 is switched to the safety control, the safety control process 23 takes over the control information, so that the safety control for the controlled object can be smoothly started.

  The shared memory 25 is just an example of a method for exchanging data between the processes 22 and 23. For example, a message queue or a socket may be used instead of the shared memory 25.

  Furthermore, the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the gist of the present invention described above.

DESCRIPTION OF SYMBOLS 1 Safety control apparatus 10 Processor 11 Execution memory 12 I / O port 13 Non-volatile memory 21 Safety monitoring process 22 Normal control process 23 Safety control process 24 Schedule table 25 Shared memory 100 Operating system 101 Safety monitoring application 102 Normal control application 103 Safety Control application

Claims (6)

Hardware resources including at least one processor;
(A) a safety monitoring program for monitoring the occurrence of an abnormality related to the controlled object, (b) a normal control program related to the control of the controlled object in a normal time, and (c) a safety related to the control of the controlled object in an abnormal time A system program for controlling the allocation of execution time of the at least one processor to a control program;
With
The processor executes the system program to assign the execution time to at least one program including the normal control program, and the execution time to at least one program including the safety monitoring program. Scheduling the safety monitoring program and the normal control program according to a normal control scheduling pattern including a second time partition to which
The processor executes the system program to change from the normal control scheduling pattern to the safety control scheduling pattern when an abnormality is detected by the safety monitoring program executed in the second time partition. Switching, scheduling the safety monitoring program and the safety control program,
Here, the safety control scheduling pattern includes a third time partition for assigning the execution time to at least one program including the safety control program, and a first time partition for assigning the execution time to at least one program including the safety monitoring program. Including 4 time partitions,
Safety control device.   The safety control apparatus according to claim 1, wherein the safety control program takes over control information related to the control target from the normal control program and starts safety control of the control target based on the control information. The hardware resource further includes memory and at least one I / O port;
The processor that executes the system program includes:
When performing scheduling according to the normal control scheduling pattern, the storage area in the memory and the at least one I / O port are divided and allocated to the first and second time partitions,
When performing scheduling according to the safety control scheduling pattern, the storage area in the memory and the at least one I / O port are divided and allocated to the third and fourth time partitions.
The safety control device according to claim 1 or 2. A first time partition that allocates processor execution time to at least one program including a normal control program related to control of a control target in a normal time, and at least one safety monitoring program that monitors occurrence of an abnormality related to the control target Scheduling the safety monitoring program and the normal control program to be executed by the processor according to a normal control scheduling pattern including a second time partition that assigns the execution time to the program;
When the abnormality is detected by the safety monitoring program executed in the second time partition, the normal control scheduling pattern is switched to the safety control scheduling pattern, and the safety monitoring program and the control at the time of abnormality are Scheduling the processor to execute a safety control program associated with the control of interest;
With
The safety control scheduling pattern includes a third time partition for assigning the execution time to at least one program including the safety control program, and a fourth time for assigning the execution time to at least one program including the safety monitoring program. Including partitions,
Safety control method for the controlled object.   5. The method according to claim 4, further comprising: taking over control information related to the control target from the normal control program to the safety control program, wherein the safety control program starts safety control of the control target based on the control information. Method. The hardware resource further includes memory and at least one I / O port;
The method
Dividing and allocating the storage area in the memory and the at least one I / O port to the first and second time partitions when scheduling according to the normal control scheduling pattern;
Dividing and allocating the storage area in the memory and the at least one I / O port to the third and fourth time partitions when scheduling according to the safety control scheduling pattern;
The method according to claim 4 or 5, further comprising:

Images